ComboFix 08-04-24.1 - Aga 2008-05-03 13:13:42.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1309 [GMT 2:00] Running from: E:\programy\usuwanieAmvo\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 ))))))))))))))))))))))))))))))) . 2008-05-03 13:08 . 2008-05-03 13:08 16,244 --a------ C:\WINDOWS\system32\rrt_is.wav 2008-05-03 13:08 . 2008-05-03 13:08 7,302 --a------ C:\WINDOWS\system32\rrt_vf.wav 2008-05-03 13:08 . 2008-05-03 13:08 7,148 --a------ C:\WINDOWS\system32\rrt_tv.wav 2008-05-03 13:08 . 2008-05-03 13:08 6,282 --a------ C:\WINDOWS\system32\rrt_tn.wav 2008-05-03 12:26 . 2008-05-03 12:26 2008-05-03 11:15 . 2008-05-03 11:15 2008-05-03 11:14 . 2008-05-03 11:26 2008-04-30 21:19 . 2008-04-30 21:19 2008-04-30 21:02 . 2001-09-13 02:15 90,112 --------- C:\WINDOWS\snymsico.dll 2008-04-30 21:02 . 2002-08-08 15:51 38,951 --------- C:\WINDOWS\system32\drivers\NETMDUSB.sys 2008-04-30 21:02 . 2005-10-31 10:46 36,679 --------- C:\WINDOWS\system32\drivers\NETMD052.sys 2008-04-30 21:02 . 2003-11-10 12:31 36,232 --------- C:\WINDOWS\system32\drivers\NETMD033.sys 2008-04-30 21:02 . 2003-04-01 18:55 35,319 --------- C:\WINDOWS\system32\drivers\NETMD031.sys 2008-04-30 21:01 . 2007-01-13 08:24 770,048 --a------ C:\WINDOWS\system32\CDDBUISony.dll 2008-04-30 21:01 . 2007-01-13 08:22 655,360 --a------ C:\WINDOWS\system32\CDDBControlSony.dll 2008-04-30 21:01 . 2007-01-13 08:22 589,824 --a------ C:\WINDOWS\system32\CddbMusicIDSony.dll 2008-04-30 21:01 . 2007-01-13 08:25 532,480 --a------ C:\WINDOWS\system32\CddbPlaylist2Sony.dll 2008-04-30 21:01 . 2006-10-18 16:30 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2008-04-30 21:01 . 2007-01-13 08:24 73,728 --a------ C:\WINDOWS\system32\CddbLinkSony.dll 2008-04-30 21:00 . 2008-04-30 21:00 2008-04-30 20:59 . 2008-04-30 21:00 2008-04-29 21:27 . 2008-04-30 21:19 2008-04-29 21:20 . 2008-04-30 21:02 2008-04-29 21:20 . 2006-11-02 16:57 118,520 --------- C:\WINDOWS\system32\PxInsI64.exe 2008-04-29 21:20 . 2006-10-29 01:00 116,472 --------- C:\WINDOWS\system32\PxCpyI64.exe 2008-04-29 21:20 . 2006-08-28 21:48 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys 2008-04-29 21:20 . 2006-08-28 21:48 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys 2008-04-29 21:15 . 2008-04-29 21:15 2008-04-26 12:16 . 2008-04-26 12:37 2008-04-26 10:34 . 2008-04-26 10:34 0 --a------ C:\WINDOWS\system32\drivers\dmserver.sys 2008-04-26 10:34 . 2008-04-26 10:34 0 --a------ C:\WINDOWS\system32\drivers\Diskeeper.sys 2008-04-26 10:33 . 2008-04-26 10:33 0 --a------ C:\WINDOWS\system32\drivers\CiSvc.sys 2008-04-26 10:33 . 2008-04-26 10:33 0 --a------ C:\WINDOWS\system32\drivers\Browser.sys 2008-04-25 19:49 . 2008-04-26 20:32 2008-04-25 19:00 . 2004-12-19 23:00 111,104 --a------ C:\WINDOWS\system32\uharc.exe 2008-04-25 19:00 . 2004-09-03 23:43 199 --a------ C:\WINDOWS\system32\paypal.url 2008-04-25 19:00 . 2005-01-28 01:49 111 --a------ C:\WINDOWS\system32\winx.url 2008-04-25 18:35 . 2008-04-25 18:35 0 --a------ C:\WINDOWS\system32\drivers\CryptSvc.sys 2008-04-25 18:35 . 2008-04-25 18:35 0 --a------ C:\WINDOWS\system32\drivers\AudioSrv.sys 2008-04-25 18:35 . 2008-04-25 18:35 0 --a------ C:\WINDOWS\system32\drivers\ALG.sys 2008-04-25 18:21 . 2008-04-25 18:21 0 --a------ C:\WINDOWS\nsreg.dat 2008-04-25 18:17 . 2008-05-03 13:14 2008-04-25 18:17 . 2008-02-19 21:54 2008-04-25 18:17 . 2008-02-19 21:02 2008-04-25 18:17 . 2008-05-03 11:44 2008-04-25 18:17 . 2008-02-19 21:54 2008-04-25 18:17 . 2008-02-19 21:54 2008-04-25 18:17 . 2008-02-19 21:54 2008-04-25 18:17 . 2008-04-25 18:17 2008-04-25 18:17 . 2008-05-03 13:13 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG 2008-04-25 18:16 . 2008-04-25 18:22 2008-04-25 18:16 . 2008-04-25 18:16 2008-04-25 18:16 . 2008-04-25 18:15 139,008 --a------ C:\WINDOWS\system32\guard32.dll 2008-04-25 18:16 . 2008-04-25 18:15 87,312 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys 2008-04-25 18:16 . 2008-04-25 18:15 23,824 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys 2008-04-25 18:15 . 2008-04-25 18:15 2008-04-21 10:30 . 2008-04-21 10:29 104,925 -r-hs---- C:\dwvo.cmd 2008-04-21 05:01 . 2008-04-22 18:40 2008-04-19 09:13 . 2008-04-19 09:13 103,885 -r-hs---- C:\mug0sd.cmd 2008-04-16 16:09 . 2008-04-21 18:25 2008-04-16 16:07 . 2008-04-16 16:07 2008-04-16 15:08 . 2008-04-16 15:10 2008-04-16 15:02 . 2008-04-16 15:03 2008-04-16 14:58 . 2008-04-10 21:21 2008-04-08 17:37 . 2008-04-08 17:37 2008-04-06 19:56 . 2008-04-06 19:55 103,343 -r-hs---- C:\2.bat 2008-04-04 20:10 . 2008-04-05 21:06 103,463 -r-hs---- C:\m9j.com 2008-04-03 20:44 . 2008-04-03 20:44 102,407 -r-hs---- C:\gy.cmd 2008-04-03 20:42 . 2008-04-03 20:42 2008-04-03 20:41 . 2008-04-03 20:41 2008-04-03 20:40 . 2008-04-03 20:40 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-03 09:10 --------- d-----w C:\Documents and Settings\Aga\Dane aplikacji\foobar2000 2008-05-02 22:09 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin 2008-04-30 19:02 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-04-28 21:45 --------- d-----w C:\Program Files\eMule 2008-04-25 17:50 --------- d-----w C:\Program Files\Opera 2008-04-23 10:35 --------- d-----w C:\Program Files\Russkij Translator 2008-04-20 08:14 --------- d-----w C:\Documents and Settings\Aga\Dane aplikacji\uTorrent 2008-04-18 15:29 --------- d-----w C:\Program Files\TransDeu3 2008-04-16 14:07 --------- d-----w C:\Program Files\Java 2008-04-16 13:39 --------- d-----w C:\Program Files\OpenOfficeT7 2.3.1 2008-04-16 13:26 --------- d-----w C:\Documents and Settings\Aga\Dane aplikacji\OpenOfficeT72 2008-04-14 16:50 --------- d-----w C:\Program Files\Unlocker 2008-04-14 11:30 --------- d-----w C:\Documents and Settings\Aga\Dane aplikacji\Tlen.pl 2008-04-10 18:07 --------- d-----w C:\Program Files\ABBYY PDF Transformer 2.0 2008-04-02 17:26 --------- d-----w C:\Documents and Settings\Aga\Dane aplikacji\Wireshark 2008-04-02 13:47 103,084 --sh–r C:\6l6w8.com 2008-03-31 19:43 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll 2008-03-31 16:25 --------- d-----w C:\Program Files\Mahjong 2008-03-28 17:36 --------- d-----w C:\Program Files\Bejeweled 2 Deluxe 2008-03-28 17:29 720,896 ----a-w C:\WINDOWS\iun6002ev.exe 2008-03-25 16:06 --------- d-----w C:\Program Files\NAPI-PROJEKT 2008-03-21 18:15 --------- d-----w C:\Program Files\Common Files\DirectX 2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-15 11:20 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search Destroy 2008-03-14 23:21 --------- d-----w C:\Program Files\foobar2000 2008-03-14 10:10 --------- d-----w C:\Documents and Settings\Aga\Dane aplikacji\Skype 2008-03-14 10:08 --------- d-----w C:\Documents and Settings\Aga\Dane aplikacji\skypePM 2008-03-14 10:04 --------- d-----w C:\Program Files\Common Files\Java 2008-03-14 09:53 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-03-13 20:17 --------- d-----w C:\Program Files\Deutsch Translator 2 2008-03-12 23:30 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll 2008-03-12 23:30 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll 2008-03-12 23:30 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll 2008-03-12 23:30 --------- d-----w C:\Program Files\YDP 2008-03-12 19:13 --------- d-----w C:\Program Files\TuneUp Utilities 2008 2008-03-12 19:12 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe 2008-03-12 19:12 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\TuneUp Software 2008-03-12 19:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-03-10 01:21 --------- d-----w C:\Program Files\KM Wakeup 2008-03-07 18:00 --------- d-----w C:\Documents and Settings\Aga\Dane aplikacji\Desktopicon 2008-03-06 16:43 --------- d-----w C:\Program Files\WapSter 2008-03-05 10:07 --------- d-----w C:\Program Files\Folder2MyPC 2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-19 21:40 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2008-02-19 19:30 34,308 ----a-w C:\WINDOWS\system32\Chip.dll 2008-02-19 19:22 64,419 ----a-w C:\WINDOWS\BricoPackUninst.cmd 2008-02-19 19:22 6,110 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd 2008-02-19 19:22 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll 2008-02-15 23:41 1,638,400 ----a-w C:\WINDOWS\system32\gdiplus.dll 2008-02-15 23:23 82,432 ----a-w C:\WINDOWS\system32\msxml4r.dll 2008-02-15 21:34 54,784 ----a-w C:\WINDOWS\system32\msvci70.dll 2008-02-15 21:32 118,848 ----a-w C:\WINDOWS\system32\SHW32.DLL . ------- Sigcheck ------- 2007-06-13 15:23 976896 e74ef52c79f3347a0b105b0b92bfed38 C:\WINDOWS\explorer.exe 2007-06-13 15:12 1034752 8db0650b211425b9cdb7d1c4a8f6b482 C:\WINDOWS$hf_mig$\KB938828\SP2QFE\explorer.exe 2004-08-04 00:44 975872 196c130d31317fe53de984220b5e13b9 C:\WINDOWS$NtUninstallKB938828$\explorer.exe 2007-06-13 15:23 976896 e74ef52c79f3347a0b105b0b92bfed38 C:\WINDOWS\system32\dllcache\explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{2F7DB8D7-9BE7-4666-901E-F380555BCAC7}”= “C:\Program Files\Russkij Translator\InternetTranslatorRusPol.dll” [2008-02-07 17:14 364544] [HKEY_CLASSES_ROOT\clsid{2f7db8d7-9be7-4666-901e-f380555bcac7}] [HKEY_CLASSES_ROOT\InternetTranslatorRusskij.TranslationFrameBand.1] [HKEY_CLASSES_ROOT\TypeLib{138787BF-B420-48B7-82DB-1EA418EC3FE4}] [HKEY_CLASSES_ROOT\InternetTranslatorRusskij.TranslationFrameBand] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “RTHDCPL”=“RTHDCPL.EXE” [2006-08-14 08:00 16050176 C:\WINDOWS\RTHDCPL.EXE] “SkyTel”=“SkyTel.EXE” [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-04-12 17:44 8429568] “nwiz”=“nwiz.exe” [2007-04-12 17:44 1626112 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2007-04-12 17:44 81920] “DiskeeperSystray”=“C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe” [2005-11-22 18:38 221184] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-03-29 19:37 79224] “COMODO Firewall Pro”=“C:\Program Files\COMODO\Firewall\cfp.exe” [2008-04-25 18:15 1572608] “RRT-Auto”=“C:\Documents and Settings\Aga\Pulpit\RRT.exe” [2008-05-02 20:28 139776] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:44 15360] C:\Documents and Settings\Aga\Menu Start\Programy\Autostart\ Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-04-29 21:20:25 385024] RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 00:05:02 630784] TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 21:41:18 65536] UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 09:43:08 180224] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”= C:\WINDOWS\system32\guard32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “VIDC.X264”= x264vfw.dll “msacm.l3codec”= l3codecp.acm [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS.exe] Debugger=notepad.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “HP Software Update”=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe “ISUSPM Startup”=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup “ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start “CorelDRAW Graphics Suite 11b”=C:\Program Files\Corel\Corel Graphics 12\Languages\PL\Programs\Registration.exe /title=“CorelDRAW Graphics Suite 12” /date=041008 serial=DR12WEX-1552087-TQU lang=PL “RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” “LanguageShortcut”=“C:\Program Files\CyberLink\PowerDVD\Language\Language.exe” “GamerOSD”=C:\Program Files\ASUS\GamerOSD\GamerOSD.exe “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” “Acrobat Assistant 8.0”=“C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe” [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Program Files\Tlen.pl\tlen.exe”= “C:\Program Files\Bonjour\mDNSResponder.exe”= “C:\Program Files\uTorrent\utorrent.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= “C:\Program Files\eMule\emule.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe”= “C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe”= “C:\Program Files\HP\Digital Imaging\bin\hposid01.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe”= “C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe”= “C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe”= “C:\Program Files\WapSter\AQQ\AQQ.exe”= “C:\Program Files\Skype\Phone\Skype.exe”= “C:\Program Files\Windows Media Player\wmplayer.exe”= “C:\Program Files\Mozilla Firefox\firefox.exe”= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31] R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-04-25 18:15] R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-04-25 18:15] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35] R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:44] R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2006-09-29 11:06] S1 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb32.sys [2005-10-20 17:25] S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-12 21:12] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp *Newly Created Service* - CATCHME *Newly Created Service* - RICHVIDEO . Contents of the ‘Scheduled Tasks’ folder “2008-04-18 15:15:51 C:\WINDOWS\Tasks\1-Click Maintenance.job” - C:\Program Files\TuneUp Utilities 2008\OneClick.exe “2008-03-14 16:16:16 C:\WINDOWS\Tasks\1-Klik Konserwacja.job” - C:\Program Files\TuneUp Utilities 2008\OneClick.exe . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-03 13:14:52 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe - C:\WINDOWS\system32\guard32.dll PROCESS: C:\WINDOWS\system32\lsass.exe - C:\WINDOWS\system32\guard32.dll . Completion time: 2008-05-03 13:15:48 ComboFix-quarantined-files.txt 2008-05-03 11:15:27 ComboFix2.txt 2008-05-03 10:24:38 Pre-Run: 41,505,779,712 bajtów wolnych Post-Run: 41,492,901,888 bajtów wolnych 254 — E O F — 2008-04-09 18:24:53